I have just put up a PR. Please review it. Either Matt or I can cut a 2.16.0. I don’t see the point of 2.15.1 if we are going to do this.
Ralph > On Dec 12, 2021, at 7:49 PM, Gary Gregory <garydgreg...@gmail.com> wrote: > > I like RERO but 3 releases in a week is a lot even for me :-) > > Gary > > On Sun, Dec 12, 2021 at 9:41 PM Remko Popma <remko.po...@gmail.com> wrote: > >> It seems that Ralph has already started to work on a PR to remove message >> lookups altogether from 2.x. >> >> I have come around to Volkan’s point that we don’t want to ask users to >> upgrade Log4j every week. >> >> So it maybe better to cancel the 2.15.1 release and have a dedicated >> security release 2.16.0 with just the JNDI change and removing message >> lookups altogether. >> >> Does anyone have a strong desire to release 2.15.1 with just the JNDI >> change? >> >> >>> On Dec 13, 2021, at 11:06, Gary Gregory <garydgreg...@gmail.com> wrote: >>> >>> Should we proceed with 2.15.1 or cancel it and go to 2.16.0 straight >> away? >>> >>> Gary >>> >>>> On Sun, Dec 12, 2021, 20:40 Remko Popma <remko.po...@gmail.com> wrote: >>>> >>>> I am also okay with removing Message Lookups from 2.x. >>>> A release with that change should be called 2.16.0 though, not 2.15.1 or >>>> 2.15.2. >>>> >>>> Also it makes sense to *only* have that security change (removing >> Message >>>> Lookups) in such a 2.16.0 release and not add other features. >>>> This will reduce the testing burden for people looking to upgrade. >>>> >>>> >>>> >>>> On Mon, Dec 13, 2021 at 8:12 Ralph Goers <ralph.go...@dslextreme.com> >>>> wrote: >>>> >>>>> Volkan, >>>>> >>>>> While ASF rules say a -1 vote is not a veto for all practical purposes >>>> the >>>>> release manager is going to consider it a blocker. >>>>> >>>>> A release that removes JNDI will prevent people from inadvertently >> using >>>>> the JNDI Lookup, JMS, or JndiContextSelector >>>>> without understanding the security risk using them. Message Lookups >> are a >>>>> different problem. We are not disabling JNDI >>>>> so people can re-enable message lookups. That would be crazy. We are >>>>> disabling JNDI because, despite all the fixes we >>>>> have made, I still don’t trust it. >>>>> >>>>> We have all agreed Message Lookups need to be killed in master. If we >> are >>>>> all in agreement to kill them now in 2.x I’m >>>>> fine with that but the two are separate issues. >>>>> >>>>> If you are OK with the release than your vote should be anything but >> -1. >>>>> If you really feel it needs a -1 then we need to see >>>>> if we are all ok completely removing the option to re-enable message >>>>> lookups. I would completely understand if that is what >>>>> you want and I would support that so please don’t feel pressured to >> give >>>>> in. >>>>> >>>>> Ralph >>>>> >>>>> >>>>>> On Dec 12, 2021, at 2:08 PM, Volkan Yazıcı <vol...@yazi.ci> wrote: >>>>>> >>>>>> You don't need my vote. As far as I count, you already have more than >>>> 3. >>>>>> >>>>>> I can imagine Ralph and the rest have worked sleeplessly for days. >>>> Hence >>>>> if >>>>>> they think disabling JNDI buys us a benefit, so be it. >>>>>> >>>>>> If not millions, tens of thousands of people tried to upgrade Log4j to >>>>>> 2.15.0 recently. A release where JNDI lookup disabled will only adress >>>>>> people who still (astonishingly!) want to use "message lookups" – >>>> correct >>>>>> me if I'm wrong. Hence, I think in its current form, 2.15.1 will bring >>>>> more >>>>>> confusion than benefit to the general audience. I think the fix to the >>>>>> vulnerability is to disable message lookups, not patches to the JNDI >>>>>> lookup. I want to believe that users get this fact right and have >>>> already >>>>>> disabled it. We need to be really careful with our next release. We >>>> can't >>>>>> expect people to upgrade once a week. Putting aside the damage it does >>>> to >>>>>> the reputation of the project. >>>>>> >>>>>> On Sun, Dec 12, 2021 at 9:47 PM Remko Popma <remko.po...@gmail.com> >>>>> wrote: >>>>>> >>>>>>> First, is this really a blocker for 2.15.1? >>>>>>> I think it is prudent to do urgent releases soon. >>>>>>> This JNDI change (LOG4J2-3208 >>>>>>> <https://issues.apache.org/jira/browse/LOG4J2-3208>) feels urgent >>>>> enough >>>>>>> to >>>>>>> warrant another shortened vote window. >>>>>>> A larger change like removing message lookups should not be rushed >> out >>>>> like >>>>>>> this, it needs review time. >>>>>>> >>>>>>> Second, do we really want to do this? Are we not overreacting? >>>>>>> Would it not be better to remove lookups in message parameters only? >>>>>>> (In implementation terms, resolve all lookups *before* interpolating >>>> the >>>>>>> message parameters?) >>>>>>> >>>>>>> Also, let me state the obvious, lookups *in configuration* are >>>>> tremendously >>>>>>> useful and should not be removed. >>>>>>> This may be obvious to some of us, but I just want to make sure there >>>>> is no >>>>>>> confusion about that (because I personally was confused about this at >>>>> some >>>>>>> point). :-) >>>>>>> >>>>>>> Finally, if we decide to do this, should a change like this be in a >>>>>>> point/bugfix release (2.15.1) or should it be a separate minor >> release >>>>> like >>>>>>> 2.16.0? >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Mon, Dec 13, 2021 at 5:10 AM Remko Popma <remko.po...@gmail.com> >>>>> wrote: >>>>>>> >>>>>>>> Shall we discuss this first please? >>>>>>>> >>>>>>>> On Mon, Dec 13, 2021 at 5:10 AM Matt Sicker <boa...@gmail.com> >>>> wrote: >>>>>>>> >>>>>>>>> If you can handle that change, I can roll a new release candidate. >>>>>>>>> >>>>>>>>> Matt Sicker >>>>>>>>> >>>>>>>>>> On Dec 12, 2021, at 14:07, Volkan Yazıcı <vol...@yazi.ci> wrote: >>>>>>>>>> >>>>>>>>>> I know. I want them to be removed, not disabled. >>>>>>>>>> >>>>>>>>>>> On Sun, Dec 12, 2021 at 9:01 PM Matt Sicker <boa...@gmail.com> >>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> Those were already disabled in 2.15.0. >>>>>>>>>>> >>>>>>>>>>> Matt Sicker >>>>>>>>>>> >>>>>>>>>>>>> On Dec 12, 2021, at 13:41, Volkan Yazıcı <vol...@yazi.ci> >>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> I very well recognize your heroic effort on tackling this issue >>>>> and >>>>>>>>> I am >>>>>>>>>>>> very thankful for that. >>>>>>>>>>>> I vote -1, because I want message (not configuration!) lookups >> to >>>>> be >>>>>>>>>>>> removed. >>>>>>>>>>>> >>>>>>>>>>>> Message lookups create a vast attack surface. Anything they >> offer >>>>>>> can >>>>>>>>>>>> simply be implemented by the user. >>>>>>>>>>>> >>>>>>>>>>>>> On Sun, Dec 12, 2021 at 4:48 AM Matt Sicker <boa...@gmail.com> >>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> This is a vote to release Log4j 2.15.1, the next version of the >>>>>>>>> Log4j 2 >>>>>>>>>>>>> project. >>>>>>>>>>>>> >>>>>>>>>>>>> Please download, test, and cast your votes on the log4j >>>> developers >>>>>>>>> list. >>>>>>>>>>>>> [] +1, release the artifacts >>>>>>>>>>>>> [] -1, don't release because... >>>>>>>>>>>>> >>>>>>>>>>>>> The vote will remain open for 72 hours (or more if required). >>>> All >>>>>>>>> votes >>>>>>>>>>>>> are welcome and we encourage everyone to test the release, but >>>>> only >>>>>>>>>>> Logging >>>>>>>>>>>>> PMC votes are “officially” counted. As always, at least 3 +1 >>>> votes >>>>>>>>> and >>>>>>>>>>> more >>>>>>>>>>>>> positive than negative votes are required. >>>>>>>>>>>>> >>>>>>>>>>>>> Changes in this release include: >>>>>>>>>>>>> >>>>>>>>>>>>> Fixed Bugs >>>>>>>>>>>>> >>>>>>>>>>>>> * LOG4J2-3208: Disable JNDI by default. Require >>>> log4j2.enableJndi >>>>>>> to >>>>>>>>> be >>>>>>>>>>>>> set to true to allow JNDI. >>>>>>>>>>>>> >>>>>>>>>>>>> Tag: >>>>>>>>>>>>> a) for a new copy do "git clone >>>>>>>>>>>>> https://github.com/apache/logging-log4j2.git < >>>>>>>>>>>>> https://github.com/apache/logging-log4j2.git>" and then "git >>>>>>>>> checkout >>>>>>>>>>>>> tags/log4j-2.15.1-rc1” or just "git clone -b log4j-2.15.1-rc1 >>>>>>>>>>>>> https://github.com/apache/logging-log4j2.git < >>>>>>>>>>>>> https://github.com/apache/logging-log4j2.git>" >>>>>>>>>>>>> b) for an existing working copy to “git pull” and then “git >>>>>>> checkout >>>>>>>>>>>>> tags/log4j-2.15.1-rc1” >>>>>>>>>>>>> >>>>>>>>>>>>> Web Site: >>>> https://logging.staged.apache.org/log4j/2.x/index.html >>>>>>> < >>>>>>>>>>>>> https://logging.staged.apache.org/log4j/2.x/index.html>. >>>>>>>>>>>>> >>>>>>>>>>>>> Maven Artifacts: >>>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> >>>>>>> >>>>> >>>> >> https://repository.apache.org/content/repositories/orgapachelogging-1067/ >>>>>>>>>>>>> >>>>>>>>>>>>> Distribution archives: >>>>>>>>>>>>> https://dist.apache.org/repos/dist/dev/logging/log4j/ < >>>>>>>>>>>>> https://dist.apache.org/repos/dist/dev/logging/log4j/> >>>>>>>>>>>>> >>>>>>>>>>>>> You may download all the Maven artifacts by executing: >>>>>>>>>>>>> wget -e robots=off --cut-dirs=7 -nH -r -p -np >>>>>>> --no-check-certificate >>>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> >>>>>>> >>>>> >>>> >> https://repository.apache.org/content/repositories/orgapachelogging-1067/org/apache/logging/log4j/ >>>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>> >>>>> >>>>> >>>> >>
